Empire as a Payload
Through Empire’s stager generation and the PowerPick implementation, it has the capability to be interoperable with the Metasploit framework. This means that Empire can be thrown as a payload from any attack platform that supports Reflective DLL loading.
To do this in, first we must generate a payload in Empire and ensure our listeners are started. Type listeners, and execute a listener. Next, use the “usestager” command to generate an x86 dll with the corresponding listener.
Once the payload is generate and Empire is prepped, next we move over to the Metasploit Framework. The handler that can serve up empire is any “dllinject” module. This will support http, https, and tcp staging options and can be used as the payload thrown during any exploit. For demo sake, we will launch the handler and execute a payload manually to imitate a phish.
After the Metasploit handler is set up, we simply execute our payload to simulate a phish. Once execute, we will see the Metasploit stager serve up the reflective dll and we will see empire receive the callback.
The ability to generate a stager reflective dll extends Empire into not only the Metasploit Framework but also a number of other modern attack platforms.
You also have the ability to execute an Empire agent through Metasploit by using the windows/exec payload. You can do this by generating the empire 1-liner and then setting it as the CMD field within the windows/exec payload in Metasploit. This can either be done within msfconsole or using msfvenom:
This will output an exe that will execute an Empire agent when ran. This can be used with any of the output formats that Metasploit supports. When executed on the target, you will see an Empire agent call home: